Using Fuzzing to Mine for Zero-Days

Fuzzing is a term that sounds hard to take seriously. But it needs to be, in light of today’s attack landscape. Fuzzing has traditionally been a sophisticated technique used by professional threat researchers to discover vulnerabilities in hardware and software interfaces and applications. They do this by injecting invalid, unexpected, or semi-random data into an interface or program and then monitoring for events such as crashes, undocumented jumps to debug routines, failing code assertions and potential memory leaks. This process helps developers and researchers find bugs and zero-day vulnerabilities that would be nearly impossible to discover otherwise.

I can’t stop. I’m constantly doing it and craving that next fix. I need it. I’m addicted to the thrill of the hunt -- the anxiety and anticipation for my fuzzers to report a crashing condition. Sometimes that sense of euphoria comes in a matter of seconds. Sometimes hours.

Sometimes days.

And sometimes not at all. And that’s when the withdrawal hits. Hard. So, what does a fuzzing junkie like me do in times like these? They start looking outside the realm of what is comfortable, looking for something to supplement (and even compliment) this addiction.

In order for fuzzing to be truly effective, it must be continuous, done at scale, and integrated into the development process of a software project. To provide these features for Chrome, we wrote ClusterFuzz, a fuzzing infrastructure running on over 25,000 cores. Two years ago, we began offering ClusterFuzz as a free service to open source projects through OSS-Fuzz.